src: clean up filesystem/image operations

Instead of having a large and growing list of functions which perform
any number of possibly desired image flows:

 - from:
   - OCI container
   - filesystem
     - with or without root directory stat

 - selinux relabel (yes/no)

 - output:
   - create an image
   - compute an image checksum
   - print a dumpfile

Add a function for each source (oci, fs) for creating a FileSystem and
define some new high-level transformations and operations on the
FileSystem object itself.

These operations sort of depend on everything whereas the rest of the
code in tree.rs depends on almost nothing, so it feels a bit weird to
include them in that file.  I tried some other approaches here:

 - define a bunch of functions that take a FileSystem as their first
   argument and operate on it.  This had bad ergonomics because they
   essentially class methods, and it wasn't able to invoke them as such.

 - move FileSystem into a separate file and define the methods there.
   This was strange because lower-level parts of the code still
   had to create a FileSystem object, so they ended up depending on the
   higher-level file again.

 - define a "FileSystemOps" helper trait which is implemented only for
   FileSystem: this was probably the cleanest approach and had the
   advantage of requiring the trait to be in scope in order to perform
   the high-level operations.  The only reason I dismissed this one was
   because it was pointlessly complicated and required writing the
   method signatures twice.

In the end we just make use of the fact that it's possible to have
multiple `impl` blocks for a given `struct` as long as they're in the
same crate.  The "trait" approach might be a bit cleaner, but this works
as well.

Adjust various API users to make use of the new operations.

Overhaul the `cfsctl` commandline to be more consistent about the
offered operations and the flags that get passed to them.  Update the
examples as appropriate.

Signed-off-by: Allison Karlitskaya <[email protected]>

Author: allisonkarlitskaya

examples/bls/build

@@ -50,13 +50,13 @@ podman build \
 
 BASE_ID="$(sed s/sha256:// tmp/base.iid)"
 ${CFSCTL} oci pull containers-storage:${BASE_ID}
-BASE_IMAGE_FSVERITY="$(${CFSCTL} oci create-image "${BASE_ID}")"
+BASE_IMAGE_FSVERITY="$(${CFSCTL} oci compute-id --bootable "${BASE_ID}")"
 
 mkdir -p "tmp/sysroot/state/${BASE_IMAGE_FSVERITY}/etc/work"
 mkdir -p "tmp/sysroot/state/${BASE_IMAGE_FSVERITY}/etc/upper"
 mkdir -p "tmp/sysroot/state/${BASE_IMAGE_FSVERITY}/var"
 
-${CFSCTL} oci prepare-boot "${BASE_ID}" tmp/efi
+${CFSCTL} oci prepare-boot "${BASE_ID}" --bootdir tmp/efi
 
 OPTIONS="console=ttyS0,115200 composefs=${BASE_IMAGE_FSVERITY} rw"
 BLE="$(echo tmp/efi/loader/entries/*.conf)"

examples/uki/build

@@ -42,7 +42,7 @@ ${PODMAN_BUILD} \
 
 BASE_ID="$(sed s/sha256:// tmp/base.iid)"
 ${CFSCTL} oci pull containers-storage:"${BASE_ID}"
-BASE_IMAGE_FSVERITY="$(${CFSCTL} oci create-image "${BASE_ID}")"
+BASE_IMAGE_FSVERITY="$(${CFSCTL} oci compute-id --bootable "${BASE_ID}")"
 
 ${PODMAN_BUILD} \
     --iidfile=tmp/final.iid \
@@ -54,7 +54,7 @@ ${PODMAN_BUILD} \
 
 FINAL_ID="$(sed s/sha256:// tmp/final.iid)"
 ${CFSCTL} oci pull containers-storage:"${FINAL_ID}"
-FINAL_IMAGE_FSVERITY="$(${CFSCTL} oci create-image "${FINAL_ID}")"
+FINAL_IMAGE_FSVERITY="$(${CFSCTL} oci compute-id --bootable "${FINAL_ID}")"
 
 ## IMPORTANT: the filesystems of the base and final images are identical
 test "${BASE_IMAGE_FSVERITY}" = "${FINAL_IMAGE_FSVERITY}"
@@ -63,7 +63,7 @@ mkdir -p "tmp/sysroot/state/${BASE_IMAGE_FSVERITY}/etc/work"
 mkdir -p "tmp/sysroot/state/${BASE_IMAGE_FSVERITY}/etc/upper"
 mkdir -p "tmp/sysroot/state/${BASE_IMAGE_FSVERITY}/var"
 
-${CFSCTL} oci prepare-boot "${FINAL_ID}" tmp/efi
+${CFSCTL} oci prepare-boot "${FINAL_ID}" --bootdir tmp/efi
 
 ../common/install-systemd-boot
 ../common/make-image "${os}-uki-efi.qcow2"

examples/unified-secureboot/Containerfile

@@ -30,7 +30,7 @@ RUN --mount=type=bind,from=base,target=/mnt/base <<EOF
     set -eux
 
     mkdir -p /tmp/sysroot/composefs
-    COMPOSEFS_FSVERITY="$(cfsctl --repo /tmp/sysroot create-image /mnt/base)"
+    COMPOSEFS_FSVERITY="$(cfsctl --repo /tmp/sysroot compute-id --bootable /mnt/base)"
 
     mkdir -p /etc/kernel /etc/dracut.conf.d
     echo "console=ttyS0,115200 composefs=${COMPOSEFS_FSVERITY} rw" > /etc/kernel/cmdline

examples/unified-secureboot/build

@@ -48,13 +48,13 @@ podman build \
 
 IMAGE_ID="$(sed s/sha256:// tmp/iid)"
 ${CFSCTL} oci pull containers-storage:"${IMAGE_ID}"
-IMAGE_FSVERITY="$(${CFSCTL} oci create-image "${IMAGE_ID}")"
+IMAGE_FSVERITY="$(${CFSCTL} oci compute-id --bootable "${IMAGE_ID}")"
 
 mkdir -p "tmp/sysroot/state/${IMAGE_FSVERITY}/etc/work"
 mkdir -p "tmp/sysroot/state/${IMAGE_FSVERITY}/etc/upper"
 mkdir -p "tmp/sysroot/state/${IMAGE_FSVERITY}/var"
 
-${CFSCTL} oci prepare-boot "${IMAGE_ID}" tmp/efi
+${CFSCTL} oci prepare-boot "${IMAGE_ID}" --bootdir tmp/efi
 
 # install a signed copy of systemd-boot
 mkdir -p tmp/efi/loader

examples/unified/Containerfile

@@ -29,7 +29,7 @@ RUN --mount=type=bind,from=base,target=/mnt/base <<EOF
     set -eux
 
     mkdir -p /tmp/sysroot/composefs
-    COMPOSEFS_FSVERITY="$(cfsctl --repo /tmp/sysroot create-image /mnt/base)"
+    COMPOSEFS_FSVERITY="$(cfsctl --repo /tmp/sysroot compute-id --bootable /mnt/base)"
 
     mkdir -p /etc/kernel /etc/dracut.conf.d
     echo "console=ttyS0,115200 composefs=${COMPOSEFS_FSVERITY} rw" > /etc/kernel/cmdline

examples/unified/build

@@ -30,13 +30,13 @@ podman build \
 
 IMAGE_ID="$(sed s/sha256:// tmp/iid)"
 ${CFSCTL} oci pull containers-storage:"${IMAGE_ID}"
-IMAGE_FSVERITY="$(${CFSCTL} oci create-image "${IMAGE_ID}")"
+IMAGE_FSVERITY="$(${CFSCTL} oci compute-id --bootable "${IMAGE_ID}")"
 
 mkdir -p "tmp/sysroot/state/${IMAGE_FSVERITY}/etc/work"
 mkdir -p "tmp/sysroot/state/${IMAGE_FSVERITY}/etc/upper"
 mkdir -p "tmp/sysroot/state/${IMAGE_FSVERITY}/var"
 
-${CFSCTL} oci prepare-boot "${IMAGE_ID}" tmp/efi
+${CFSCTL} oci prepare-boot "${IMAGE_ID}" --bootdir tmp/efi
 
 ../common/install-systemd-boot
 ../common/make-image fedora-unified-efi.qcow2

src/bin/cfsctl.rs

@@ -39,20 +39,31 @@ enum OciCommand {
         /// the name of the stream
         name: String,
     },
-    CreateDumpfile {
-        layers: Vec<String>,
+    Dump {
+        config_name: String,
+        config_verity: Option<String>,
     },
     Pull {
         image: String,
         name: Option<String>,
     },
+    ComputeId {
+        config_name: String,
+        config_verity: Option<String>,
+        #[clap(long)]
+        bootable: bool,
+    },
     CreateImage {
-        config: String,
-        name: Option<String>,
+        config_name: String,
+        config_verity: Option<String>,
+        #[clap(long)]
+        bootable: bool,
+        #[clap(long)]
+        image_name: Option<String>,
     },
     Seal {
-        name: String,
-        verity: Option<String>,
+        config_name: String,
+        config_verity: Option<String>,
     },
     Mount {
         name: String,
@@ -62,8 +73,10 @@ enum OciCommand {
         name: String,
     },
     PrepareBoot {
-        name: String,
-        bootdir: Option<PathBuf>,
+        config_name: String,
+        config_verity: Option<String>,
+        #[clap(long, default_value = "/boot")]
+        bootdir: PathBuf,
     },
 }
 
@@ -97,22 +110,45 @@ enum Command {
     },
     CreateImage {
         path: PathBuf,
+        #[clap(long)]
+        bootable: bool,
+        #[clap(long)]
+        stat_root: bool,
+        image_name: Option<String>,
+    },
+    ComputeId {
+        path: PathBuf,
+        #[clap(long)]
+        bootable: bool,
+        #[clap(long)]
+        stat_root: bool,
     },
     CreateDumpfile {
         path: PathBuf,
+        #[clap(long)]
+        bootable: bool,
+        #[clap(long)]
+        stat_root: bool,
     },
     ImageObjects {
         name: String,
     },
 }
 
+fn verity_opt(opt: &Option<String>) -> Result<Option<Sha256HashValue>> {
+    Ok(match opt {
+        Some(value) => Some(FsVerityHashValue::from_hex(value)?),
+        None => None,
+    })
+}
+
 #[tokio::main]
 async fn main() -> Result<()> {
     env_logger::init();
 
     let args = App::parse();
 
-    let repo: Repository<Sha256HashValue> = (if let Some(path) = args.repo {
+    let repo: Repository<Sha256HashValue> = (if let Some(path) = &args.repo {
         Repository::open_path(CWD, path)
     } else if args.system {
         Repository::open_system()
@@ -136,7 +172,7 @@ async fn main() -> Result<()> {
         }
         Command::ImportImage { reference } => {
             let image_id = repo.import_image(&reference, &mut std::io::stdin())?;
-            println!("{}", image_id.to_hex());
+            println!("{}", image_id.to_id());
         }
         Command::Oci { cmd: oci_cmd } => match oci_cmd {
             OciCommand::ImportLayer { name, sha256 } => {
@@ -146,29 +182,57 @@ async fn main() -> Result<()> {
                     name.as_deref(),
                     &mut std::io::stdin(),
                 )?;
-                println!("{}", object_id.to_hex());
+                println!("{}", object_id.to_id());
             }
             OciCommand::LsLayer { name } => {
                 oci::ls_layer(&repo, &name)?;
             }
-            OciCommand::CreateDumpfile { layers } => {
-                oci::image::create_dumpfile(&repo, &layers)?;
+            OciCommand::Dump {
+                ref config_name,
+                ref config_verity,
+            } => {
+                let verity = verity_opt(config_verity)?;
+                let mut fs = oci::image::create_filesystem(&repo, config_name, verity.as_ref())?;
+                fs.print_dumpfile()?;
             }
-            OciCommand::CreateImage { config, name } => {
-                let image_id = oci::image::create_image(&repo, &config, name.as_deref(), None)?;
-                println!("{}", image_id.to_hex());
+            OciCommand::ComputeId {
+                ref config_name,
+                ref config_verity,
+                bootable,
+            } => {
+                let verity = verity_opt(config_verity)?;
+                let mut fs = oci::image::create_filesystem(&repo, config_name, verity.as_ref())?;
+                if bootable {
+                    fs.transform_for_boot(&repo)?;
+                }
+                let id = fs.compute_image_id();
+                println!("{}", id.to_hex());
+            }
+            OciCommand::CreateImage {
+                ref config_name,
+                ref config_verity,
+                bootable,
+                ref image_name,
+            } => {
+                let verity = verity_opt(config_verity)?;
+                let mut fs = oci::image::create_filesystem(&repo, config_name, verity.as_ref())?;
+                if bootable {
+                    fs.transform_for_boot(&repo)?;
+                }
+                let image_id = fs.commit_image(&repo, image_name.as_deref())?;
+                println!("{}", image_id.to_id());
             }
             OciCommand::Pull { ref image, name } => {
                 oci::pull(&Arc::new(repo), image, name.as_deref()).await?
             }
-            OciCommand::Seal { verity, ref name } => {
-                let (sha256, verity) = oci::seal(
-                    &Arc::new(repo),
-                    name,
-                    verity.map(Sha256HashValue::from_hex).transpose()?.as_ref(),
-                )?;
+            OciCommand::Seal {
+                ref config_name,
+                ref config_verity,
+            } => {
+                let verity = verity_opt(config_verity)?;
+                let (sha256, verity) = oci::seal(&Arc::new(repo), config_name, verity.as_ref())?;
                 println!("sha256 {}", hex::encode(sha256));
-                println!("verity {}", verity.to_hex());
+                println!("verity {}", verity.to_id());
             }
             OciCommand::Mount {
                 ref name,
@@ -179,25 +243,58 @@ async fn main() -> Result<()> {
             OciCommand::MetaLayer { ref name } => {
                 oci::meta_layer(&repo, name, None)?;
             }
-            OciCommand::PrepareBoot { ref name, bootdir } => {
-                let output = bootdir.unwrap_or(PathBuf::from("/boot"));
-                oci::prepare_boot(&repo, name, None, &output)?;
+            OciCommand::PrepareBoot {
+                ref config_name,
+                ref config_verity,
+                ref bootdir,
+            } => {
+                let verity = verity_opt(config_verity)?;
+                oci::prepare_boot(&repo, config_name, verity.as_ref(), bootdir)?;
             }
         },
-        Command::CreateImage { ref path } => {
-            let image_id = composefs::fs::create_image(path, Some(&repo))?;
-            println!("{}", image_id.to_hex());
+        Command::ComputeId {
+            ref path,
+            bootable,
+            stat_root,
+        } => {
+            let mut fs = composefs::fs::read_from_path(path, Some(&repo), stat_root)?;
+            if bootable {
+                fs.transform_for_boot(&repo)?;
+            }
+            let id = fs.compute_image_id();
+            println!("{}", id.to_hex());
         }
-        Command::CreateDumpfile { ref path } => {
-            composefs::fs::create_dumpfile::<Sha256HashValue>(path)?;
+        Command::CreateImage {
+            ref path,
+            bootable,
+            stat_root,
+            ref image_name,
+        } => {
+            let mut fs = composefs::fs::read_from_path(path, Some(&repo), stat_root)?;
+            if bootable {
+                fs.transform_for_boot(&repo)?;
+            }
+            let id = fs.commit_image(&repo, image_name.as_deref())?;
+            println!("{}", id.to_id());
+        }
+        Command::CreateDumpfile {
+            ref path,
+            bootable,
+            stat_root,
+        } => {
+            let mut fs = composefs::fs::read_from_path(path, Some(&repo), stat_root)?;
+            if bootable {
+                fs.transform_for_boot(&repo)?;
+            }
+            fs.print_dumpfile()?;
         }
         Command::Mount { name, mountpoint } => {
             repo.mount(&name, &mountpoint)?;
         }
         Command::ImageObjects { name } => {
             let objects = repo.objects_for_image(&name)?;
             for object in objects {
-                println!("{}", object.to_hex());
+                println!("{}", object.to_id());
             }
         }
         Command::GC => {

src/filesystem_ops.rs

@@ -0,0 +1,36 @@
+use anyhow::Result;
+
+use crate::{
+    dumpfile::write_dumpfile,
+    erofs::writer::mkfs_erofs,
+    fsverity::{compute_verity, FsVerityHashValue},
+    repository::Repository,
+    selabel::selabel,
+    tree::FileSystem,
+};
+
+impl<ObjectID: FsVerityHashValue> FileSystem<ObjectID> {
+    pub fn transform_for_boot(&mut self, repo: &Repository<ObjectID>) -> Result<()> {
+        selabel(self, repo)?;
+        Ok(())
+    }
+
+    pub fn commit_image(
+        &mut self,
+        repository: &Repository<ObjectID>,
+        image_name: Option<&str>,
+    ) -> Result<ObjectID> {
+        self.ensure_root_stat();
+        repository.write_image(image_name, &mkfs_erofs(self))
+    }
+
+    pub fn compute_image_id(&mut self) -> ObjectID {
+        self.ensure_root_stat();
+        compute_verity(&mkfs_erofs(self))
+    }
+
+    pub fn print_dumpfile(&mut self) -> Result<()> {
+        self.ensure_root_stat();
+        write_dumpfile(&mut std::io::stdout(), self)
+    }
+}